{"id":37366,"date":"2021-02-23T19:57:35","date_gmt":"2021-02-23T17:57:35","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=37366"},"modified":"2025-08-29T15:58:35","modified_gmt":"2025-08-29T12:58:35","slug":"what-are-confidential-transactions-ct","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/what-are-confidential-transactions-ct\/","title":{"rendered":"What are Confidential Transactions (CT)?"},"content":{"rendered":"<div id=\"cards_wrapper\">\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">What are Confidential Transactions?<\/strong><\/h2>\n<\/div>\n<\/div>\n<blockquote>\n<div><strong>Note: This article is outdated and awaiting an update.<\/strong><\/div>\n<\/blockquote>\n<div><\/div>\n<div id=\"cards_wrapper\">\n<div class=\"single_card\">\n<div class=\"card_description\">Confidential Transactions (CT) is a cryptographic protocol that hides the recipient\u2019s address and the actual amounts on transaction inputs and outputs from third parties. At the same time, it lets anyone verify that the sum of all outputs does not exceed the sum of all inputs, which is sufficient to validate a transaction.<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">Who invented Confidential Transactions, and when?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>The first version of the concept, dubbed \u201cbitcoins with homomorphic value,\u201d was <a href=\"https:\/\/bitcointalk.org\/index.php?topic=305791.0\" target=\"_blank\" rel=\"noopener\">proposed<\/a> in 2013 by Hashcash inventor and Blockstream co-founder Adam Back.<\/p>\n<p>In 2015 the technology was first implemented in Blockstream\u2019s sidechain <a href=\"https:\/\/elementsproject.org\/\" target=\"_blank\" rel=\"noopener\">Elements<\/a>.<\/p>\n<p>The concept was later developed by Bitcoin Core developer Gregory Maxwell.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">Why are Confidential Transactions needed?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>Bitcoin does not provide full confidentiality. Because the blockchain is public, transaction-analysis tools can trace movements of funds and, in many cases, identify who is transacting.<\/p>\n<p>This lack of privacy undermines fungibility and increases the risk of censorship. Exchanges and other services may block users because their coins were previously involved in illegal activity, even if the current owner is unaware of that history. Confidential Transactions can, in principle, mitigate these problems.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">How does the technology work?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>The technology introduces new address and transaction formats. A transaction format comprises a scriptPubKey, a Pedersen commitment scheme, and an <a href=\"https:\/\/ru.wikipedia.org\/wiki\/%D0%9F%D1%80%D0%BE%D1%82%D0%BE%D0%BA%D0%BE%D0%BB_%D0%94%D0%B8%D1%84%D1%84%D0%B8_%E2%80%94_%D0%A5%D0%B5%D0%BB%D0%BB%D0%BC%D0%B0%D0%BD%D0%B0_%D0%BD%D0%B0_%D1%8D%D0%BB%D0%BB%D0%B8%D0%BF%D1%82%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%B8%D1%85_%D0%BA%D1%80%D0%B8%D0%B2%D1%8B%D1%85\" target=\"_blank\" rel=\"noopener\">ECDH<\/a> (Elliptic-Curve Diffie\u2013Hellman) nonce.<\/p>\n<p>The scriptPubKey contains a Confidential Transaction Address (CTA) and a spending condition under which bitcoin may be spent only if ownership of the address\u2019s private key is proven with a signature.<\/p>\n<p>A Confidential Transaction Address is a hash of a blinding key plus a conventional bitcoin address.<\/p>\n<p>The blinding key hides both the bitcoin address and the transaction amount in the public ledger. Possession of the blinding key also lets one see the bitcoin address and the amount within the confidential transaction.<\/p>\n<p>A Pedersen commitment is a hash of the entire bitcoin output plus the blinding key.<\/p>\n<p>The ECDH nonce is a key that allows the entire confidential transaction to be revealed. It is used to transmit encrypted data to the transaction\u2019s recipient, who learns the bitcoin transaction output and the confidential transaction\u2019s blinding factor.<\/p>\n<p><em>Example of CTs in action.<\/em><\/p>\n<p>Alice has two bitcoins and wants to send one to Bob.<\/p>\n<p>After receiving Bob\u2019s address, Alice creates a blinding key and combines it with the address into a single hash. This produces a confidential address. Although it is recorded on the public ledger, no one besides Alice and Bob knows that the confidential transaction address corresponds to Bob\u2019s address.<\/p>\n<p><em>Example of a confidential address:<\/em><\/p>\n<p>CTEwQjyErENrxo8dSQ6pq5atss7Ym9S7P6GGK4PiGAgQRgoh1iPUkLQ168Kqptfnwmpxr2Bf7ipQsagi<\/p>\n<p>Alice then creates a confidential transaction. Using the same blinding key and a one-bitcoin output, she forms a Pedersen commitment. The amount Alice sends to Bob is hidden from the public, yet both of them can see it because they each possess the public blinding key. Alice has it as the creator; Bob can derive it with the private key of his bitcoin address.<\/p>\n<p>Next, Alice creates a scriptPubKey with the confidential transaction address she derived from Bob\u2019s bitcoin address, together with a spending condition stating that one bitcoin can be spent if Bob proves control of the address\u2019s private key with a signature.<\/p>\n<p>The transaction is then recorded on the public ledger.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">How does the technology preserve balance consistency?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>One key principle in Bitcoin is conservation of value: the amount of bitcoin credited to an address must equal the amount debited from it.<\/p>\n<p>Because Confidential Transactions hide amounts, two issues arise:<\/p>\n<ul>\n<li>The usual way of computing fees by subtraction becomes impossible.<\/li>\n<li>The network cannot tell whether an output matches an input, making conservation of value unverifiable.<\/li>\n<\/ul>\n<p>The first issue is easy to solve by making transaction fees publicly visible.<\/p>\n<p>The second is addressed with Pedersen commitments.<\/p>\n<p>Pedersen commitments have the distinctive mathematical property of homomorphism. A homomorphism preserves structure between two algebraic systems. This is effective for <a href=\"https:\/\/forklog.com\/en\/news\/what-is-cryptography-who-are-the-cypherpunks\">cryptography<\/a> because it lets one commit to data and verify relations about it using simple algebraic operations such as addition\u2014without revealing the underlying data itself.<\/p>\n<p><em>Example:<\/em><\/p>\n<p>Take a simple algebraic structure and \u201chash\u201d values by multiplying by 2.<\/p>\n<p>(a + b)*2 = a*2 + b*2<\/p>\n<p>Assume a=1 and b=3.<\/p>\n<p>(1+3)*2 = 1*2 + 3*2<\/p>\n<p>4*2 = 2+6<\/p>\n<p>If we replace the value of \u201ca\u201d on the left-hand side with another number, say 4, the algebraic structure no longer holds:<\/p>\n<p>(a + b)*2 = a*2 + b*2<\/p>\n<p>(4 + 3)*2 \u2260 1*2 + 3*2<\/p>\n<p>Using the homomorphic property of Pedersen commitments, Confidential Transactions enforce conservation of value for bitcoin addresses.<\/p>\n<p>Now apply this to Alice sending Bob one bitcoin. For simplicity, ignore fees.<\/p>\n<p>Alice has a two-bitcoin Pedersen commitment for her confidential transaction. When Alice sends Bob one bitcoin, she uses a specific formula to create the commitment. She uses the same formula to send one bitcoin to a change address. We add the two commitments to check whether the result equals Alice\u2019s original two-bitcoin Pedersen commitment. If it does, the commitment is a valid confidential transaction.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">What are the advantages of Confidential Transactions?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>The protocol improves bitcoin\u2019s privacy. Blinding keys mask bitcoin addresses and amounts, enhancing fungibility.<\/p>\n<p>Blinding keys can also be shared for auditing: a payer or payee may grant a third party access to the blinding key for audit purposes.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">What are the drawbacks of Confidential Transactions?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>While CTs hide transaction amounts, observers can still see sender and recipient addresses.<\/p>\n<p>A potential workaround is to create false negatives by sending zero-amount outputs to multiple addresses to obscure the true destination.<\/p>\n<p>CTs can also be combined with <a href=\"https:\/\/forklog.com\/en\/news\/what-is-coinjoin-what-is-zerolink-what-is-stonewall\">CoinJoin<\/a>, which aggregates transaction outputs into one large transaction, hiding relationships between users from outside observers.<\/p>\n<p>Another limitation is that CT hides the amount only for a specific transaction. If a subsequent transaction is not confidential, its data can be used to infer the amount of the earlier confidential transaction.<\/p>\n<p>For example, if Alice sends Bob an unknown amount, and Bob later sends five bitcoins to Carol and two to himself as change, one can deduce that Alice sent Bob seven bitcoins.<\/p>\n<p>Confidential Transactions are effective only if the technology is widely adopted.<\/p>\n<ul>\n<li>A confidential transaction\u2019s data volume is roughly 20 times that of a regular transaction, tripling computational load. Fees for CTs will therefore be significantly higher, limiting the pool of potential users.<\/li>\n<li>The size of CTs conflicts with either scalability (the network processes fewer transactions), decentralisation (fewer users can run full nodes and verify everything), or both.<\/li>\n<li>It is unclear whether all users would accept making bitcoin more private and fungible. Lack of consensus could complicate the soft forks needed to implement the technology.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">Where is the technology used?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>CTs are deployed in the commercial sidechain <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-liquid-network\">Liquid<\/a>, developed by Blockstream. The technology lets Liquid users verify that received amounts do not exceed sent amounts.<\/p>\n<p>In Liquid, among other things, this means funds can move between exchanges without revealing the amounts. Competitors cannot see exchange balances, and traders cannot exploit such information in markets, as they often can today: blockchain transparency enables those with knowledge of a large impending transaction to trade ahead of it.<\/p>\n<p>A variant of CTs\u2014Ring Confidential Transactions (Ring CT)\u2014is used in <a href=\"https:\/\/forklog.com\/en\/news\/what-is-monero-xmr\">Monero<\/a>. Other adaptations appear in Bitshares and in the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-mimblewimble\">MimbleWimble<\/a> protocol, which underpins <a href=\"https:\/\/forklog.com\/en\/news\/what-is-grin\">Grin<\/a> and <a href=\"https:\/\/forklog.com\/en\/news\/what-is-beam\">Beam<\/a>.<\/p>\n<p>CTs could also be implemented in Bitcoin\u2019s base layer. Several ideas exist for doing so via a backward-compatible soft fork, though such upgrades would still hurt scalability and are likely some way off.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">What are Confidential Assets?<\/strong><\/h2>\n<div class=\"card_description\">Confidential Assets extend the functionality of CTs: the sender and recipient remain visible on-chain, but the specific asset being transferred\u2014bitcoin, gold, securities or something else\u2014is hidden.<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">Who invented Confidential Assets, and when?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>Confidential Assets were invented by Blockstream developers Andrew Poelstra, Adam Back, Mark Friedenbach, Gregory Maxwell and Pieter Wuille.<\/p>\n<p>The <a href=\"https:\/\/blockstream.com\/bitcoin17-final41.pdf\" target=\"_blank\" rel=\"noopener\">white paper<\/a> on Confidential Assets was published on Blockstream\u2019s website on April 3, 2017. The company announced Confidential Assets as a new option for the Sidechain Elements technology.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">How do Confidential Assets work?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>CTs use a Pedersen commitment that replaces the original transaction amount on-chain:<\/p>\n<p><em>commitment = xG + a(H + rG)<\/em><\/p>\n<p><em>Where a is the transaction amount, G and H are elliptic-curve generators. G is a constant. H represents the asset type and takes different values for different confidential assets. X and r are blinding factors.<\/em><\/p>\n<p><em>They are set to different random values in each UTXO (unspent transaction output) to hide both the transaction amount and the asset type.<\/em><\/p>\n<p>This model allows verification that inputs and outputs balance for each asset in every transaction. The verifier sees the commitment but not the amount or the asset type.<\/p>\n<p>The sender transmits the amount and asset type to the recipient encrypted, either on-chain or off-chain in a p2p format, so that only the two parties know the details.<\/p>\n<p>During asset issuance, transfer and burning, Zero-Knowledge Proofs (ZKP) are also required to prove that the amount and asset type are within acceptable ranges without revealing them. The proof for the asset type is called a Surjection Proof.<\/p>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">What are the drawbacks of Confidential Assets?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>Implementation is possible only in a new blockchain or via a hard fork of an existing one.<\/p>\n<p>Smart contracts cannot be added to this scheme, so one cannot customise the logic of Confidential Assets or build on-chain applications atop them. Developers can implement only limited logic via techniques such as Scriptless Script.<\/p>\n<p>Technologies such as AZTEC, Zether, Anonymous Zether, PGC and Nightfall address this issue. In all of these, existing blockchain privacy schemes (<a href=\"https:\/\/forklog.com\/en\/news\/what-is-zcash-zec\">zk-SNARK<\/a>, MimbleWimble, etc.) are implemented with smart contracts. This model provides:<\/p>\n<ul>\n<li>Programmability: smart contracts modify the logic of issuance, burning, transfer and exchange, expanding the functions and attributes of Confidential Assets.<\/li>\n<li>Interoperability: Confidential Assets can interact with other contracts (tokens, auctions, voting), enabling more applications.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<div class=\"single_card\">\n<h2 class=\"card_label\"><strong class=\"card_label\">Where are Confidential Assets used?<\/strong><\/h2>\n<div class=\"card_description\">\n<p>In the Elements project, Confidential Assets are applied to the Bitcoin network.<\/p>\n<p>In Bitcoin-based implementations the transaction process is non-interactive\u2014the recipient need not be online to receive a transaction. In MimbleWimble-based systems the process is interactive.<\/p>\n<p>In Bitcoin-based Confidential Assets implementations, both parties\u2019 addresses are visible, unlike in MimbleWimble-based systems.<\/p>\n<p>The technology can also be implemented in systems based on the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-mimblewimble\">MimbleWimble<\/a> protocol\u2014Grin and Beam. Beam\u2019s developers enabled this via the Eager Electron 5.0 hard fork in June 2020.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>What are Confidential Transactions? Note: This article is outdated and awaiting an update. Confidential Transactions (CT) is a cryptographic protocol that hides the recipient\u2019s address and the actual amounts on transaction inputs and outputs from third parties, while still allowing anyone to verify that total outputs do not exceed total inputs\u2014enough to validate a transaction.<\/p>\n","protected":false},"author":1,"featured_media":37367,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"2","_short_excerpt_text":"A primer on Confidential Transactions: hiding recipient addresses and amounts while keeping transactions verifiable.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[2113],"tags":[2120,2128],"class_list":["post-37366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptorium","tag-101-anonymity","tag-confidential-transactions"],"aioseo_notices":[],"amp_enabled":true,"views":"50","promo_type":"1","layout_type":"1","short_excerpt":"A primer on Confidential Transactions: hiding recipient addresses and amounts while keeping transactions verifiable.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/37366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=37366"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/37366\/revisions"}],"predecessor-version":[{"id":37368,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/37366\/revisions\/37368"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/37367"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=37366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=37366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=37366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}